Another Java zero-day exploit in the wild actively attacking targets

Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night.

The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. The attack is triggered when people with a vulnerable version of the Java browser plugin visit a website that has been booby-trapped with attack code. FireEye researchers Darien Kindlund and Yichong Lin said the exploit is being used against "multiple customers" and that they have "observed successful exploitation."

The security of Java is reaching near-crisis levels as reports of new in-the-wild exploits have become an almost weekly occurrence over the past few months. In the past several weeks, Facebook, Apple, and Twitter have all disclosed that their computers were compromised by exploits that were later linked to a developer website that itself had been hacked and turned into a platform for exploiting zero-day vulnerabilities in Java. Microsoft has also said its computers were hacked in a manner consistent with the same attack. Oracle says Java runs on three billion devices, although only Java browser plugins have been targeted in the string of exploits.

According to FireEye, the observed exploit "is not very reliable, as it tries to overwrite a big chunk of memory." Most of the time, attackers succeed in downloading a malicious payload onto the targeted machine, but it fails to execute. A researcher from Russia-based antivirus provider Kaspersky confirmed the bug to IDG News but went on to say the vulnerability can't be triggered in older versions such as Java 7 Update 10. Kaspersky also said the attacks appeared to target specific individuals or organizations.

While some may be tempted to install an older Java version to protect themselves against this latest exploit, readers should remember that attackers continue to exploit already patched bugs, too. Earlier this week, researchers discovered two additional vulnerabilities in Java. Neither one involves memory corruption, meaning they aren't the ones being exploited in the latest attacks, Adam Gowdiak, CEO of Poland-based Security Explorations, told Ars.

As Ars has advised for months now, people who have no need for Java should consider uninstalling it altogether, uninstalling just the browser plugin, or using a dedicated browser for the handful of sites they frequent that require Java and a separate browser for accessing all other sites.

Promoted Comments

i'm an IT geek working for a fairly large lawfirm. unfortunately we have to have java installed, and keep the browser plugin active for a crapton of sites our attorneys use daily. on top of that, our enterprise management software (altiris, owned by symantec) requires java. altiris and symantec aren't exactly small companies, but they require us to have java installed.

personally i don't have any need for a java plugin, but i do use a few java apps (OOo or libre office included) so i have to have the JRE installed.

Altiris was better than what we used where I used to work to keep track of software bugs. In fact, we had both, but were required to use the crappier but "more powerful" tool.

I wish that we didn't have so many applications at work that require Java at work. It would make the life of my IT department significantly easier if I could just dump Java out the window. Alas SAP and our developers have an affinity to the accursed thing.

I haven't had java installed since the late 90's, never looked back. There is some misunderstanding with the general computer user that javascript = java and you need to have it installed.

Java is and always will be complete dog sh8 and should be eradicated. The product really at this point under Oracles hand is abandonware, and they only hold it so no one else can own it.

How about March 15th being Uninstall Java day? spread the word.

Or you could just uninstall the browser plugin seeing how all these exploits use that plugin to get into your computer. Java still has a lot of use in Web applications and desktop applications. Applets, on the other hand, died out about eight years ago. They weren't the easiest to build and, with things coming to light, the most secure*.

I haven't had java installed since the late 90's, never looked back. There is some misunderstanding with the general computer user that javascript = java and you need to have it installed.

Java is and always will be complete dog sh8 and should be eradicated. The product really at this point under Oracles hand is abandonware, and they only hold it so no one else can own it.

How about March 15th being Uninstall Java day? spread the word.

Or you could just uninstall the browser plugin seeing how all these exploits use that plugin to get into your computer. Java still has a lot of use in Web applications and desktop applications. Applets, on the other hand, died out about eight years ago. They weren't the easiest to build and, with things coming to light, the most secure*.

Or I could just not install it at all. I have not bumped into any application that needs Java and if I ever do I'll just find an alternative rather than install Java. It's bloatware that I won't have on my computer, I've not had it installed for 13+ years I don't see needing to use it ever again.

Real developers use the correct tool for the job. This basic programming 101. Both Java and C# fill the same void except that Java is used on more platforms.

As mentioned in the article (for kids who are unable to think), this only targets Java in the browser. No honest company have used that in almost a decade. Disable that if you are unable to make your own decisions.

For the rest of us (read, majority, adults, etc), we know better than to hate a language and spreading FUD.

I haven't had java installed since the late 90's, never looked back. There is some misunderstanding with the general computer user that javascript = java and you need to have it installed.

Java is and always will be complete dog sh8 and should be eradicated. The product really at this point under Oracles hand is abandonware, and they only hold it so no one else can own it.

How about March 15th being Uninstall Java day? spread the word.

Or you could just uninstall the browser plugin seeing how all these exploits use that plugin to get into your computer. Java still has a lot of use in Web applications and desktop applications. Applets, on the other hand, died out about eight years ago. They weren't the easiest to build and, with things coming to light, the most secure*.

Or I could just not install it at all. I have not bumped into any application that needs Java and if I ever do I'll just find an alternative rather than install Java. It's bloatware that I won't have on my computer, I've not had it installed for 13+ years I don't see needing to use it ever again.

I haven't had java installed since the late 90's, never looked back. There is some misunderstanding with the general computer user that javascript = java and you need to have it installed.

Java is and always will be complete dog sh8 and should be eradicated. The product really at this point under Oracles hand is abandonware, and they only hold it so no one else can own it.

How about March 15th being Uninstall Java day? spread the word.

Or you could just uninstall the browser plugin seeing how all these exploits use that plugin to get into your computer. Java still has a lot of use in Web applications and desktop applications. Applets, on the other hand, died out about eight years ago. They weren't the easiest to build and, with things coming to light, the most secure*.

Or I could just not install it at all. I have not bumped into any application that needs Java and if I ever do I'll just find an alternative rather than install Java. It's bloatware that I won't have on my computer, I've not had it installed for 13+ years I don't see needing to use it ever again.

For personal users, probably not.

For corporates, Java is still used quite a bit for a lot of customware. In my job, there are more applications that use Java than don't. Of course, we don't use particularly new versions of Java either, due to an insanely circuitous QA process.

Not that I particularly like Java to begin with, but you know how it is - doesn't matter if it's a good idea, you drive it until it's cheaper to migrate off of it than it is to continue using it.

Real developers use the correct tool for the job. This basic programming 101. Both Java and C# fill the same void except that Java is used on more platforms.

As mentioned in the article (for kids who are unable to think), this only targets Java in the browser. No honest company have used that in almost a decade. Disable that if you are unable to make your own decisions.

For the rest of us (read, majority, adults, etc), we know better than to hate a language and spreading FUD.

Except for APL. I don't have a space-cadet keyboard and don't like to key Unicode characters all the time.And JavaScript. wtfjs will show you why.

i'm an IT geek working for a fairly large lawfirm. unfortunately we have to have java installed, and keep the browser plugin active for a crapton of sites our attorneys use daily. on top of that, our enterprise management software (altiris, owned by symantec) requires java. altiris and symantec aren't exactly small companies, but they require us to have java installed.

personally i don't have any need for a java plugin, but i do use a few java apps (OOo or libre office included) so i have to have the JRE installed.

I haven't had java installed since the late 90's, never looked back. There is some misunderstanding with the general computer user that javascript = java and you need to have it installed.

Java is and always will be complete dog sh8 and should be eradicated. The product really at this point under Oracles hand is abandonware, and they only hold it so no one else can own it.

How about March 15th being Uninstall Java day? spread the word.

Or you could just uninstall the browser plugin seeing how all these exploits use that plugin to get into your computer. Java still has a lot of use in Web applications and desktop applications. Applets, on the other hand, died out about eight years ago. They weren't the easiest to build and, with things coming to light, the most secure*.

Or I could just not install it at all. I have not bumped into any application that needs Java and if I ever do I'll just find an alternative rather than install Java. It's bloatware that I won't have on my computer, I've not had it installed for 13+ years I don't see needing to use it ever again.

Java isn't bloatware, It doens't even have processes at startup except a little one that you can remove just for the updates and it doens't even require much space on disk. There are several programs that use java like Eclipse or JDownloader.

In the past several weeks, Facebook, Apple, and Twitter have all disclosed that their computers were compromised by exploits

Today I noticed that the pages served by twitter have curious <input> tags appearing *after* the closing </html> tag. One of these <input>s contains a value string which appear to refer to one particular twitter user. Weird stuff.I wonder if it's related to the above news, or just some silly bug from twitter development team.

Real developers use the correct tool for the job. This basic programming 101. Both Java and C# fill the same void except that Java is used on more platforms.

As mentioned in the article (for kids who are unable to think), this only targets Java in the browser. No honest company have used that in almost a decade. Disable that if you are unable to make your own decisions.

For the rest of us (read, majority, adults, etc), we know better than to hate a language and spreading FUD.

If you want true cross platform you stick with c or c++ not crappy Java or C#. Real developers?

i'm an IT geek working for a fairly large lawfirm. unfortunately we have to have java installed, and keep the browser plugin active for a crapton of sites our attorneys use daily.

I too work in the IT department of a law firm and we also have to have java installed with the browser plugin enabled. These threads about java security are a regurgitation of each other, I can only assume the people spouting off about "who installs java anyway!" have no job.

i'm an IT geek working for a fairly large lawfirm. unfortunately we have to have java installed, and keep the browser plugin active for a crapton of sites our attorneys use daily. on top of that, our enterprise management software (altiris, owned by symantec) requires java. altiris and symantec aren't exactly small companies, but they require us to have java installed.

personally i don't have any need for a java plugin, but i do use a few java apps (OOo or libre office included) so i have to have the JRE installed.

Altiris was better than what we used where I used to work to keep track of software bugs. In fact, we had both, but were required to use the crappier but "more powerful" tool.

Real developers use the correct tool for the job. This basic programming 101. Both Java and C# fill the same void except that Java is used on more platforms.

As mentioned in the article (for kids who are unable to think), this only targets Java in the browser. No honest company have used that in almost a decade. Disable that if you are unable to make your own decisions.

For the rest of us (read, majority, adults, etc), we know better than to hate a language and spreading FUD.

If you want true cross platform you stick with c or c++ not crappy Java or C#. Real developers?

seriously? Cross platform? Proper tool for the job. If you want to reach everything you can, C of course. Seriously, how many for profit companies do you know of that develops cross platform, which would include windows, mac linux, solaris, etc, etc, etc? I haven't seen a single one yet. Most companies target 3 at the most, and that doesn't include mobile.

As for Java and C# being crappy ... after all these years, nobody has been able to back that up.

Lets not forget that what we are talking about here is the JVM and not necessarily Java. You need the JRE installed even if a program wasn't written in Java (I'm thinking about things written in Scala or Clojure for example).

Java the language is OK but it is the JVM that is brilliant. Lots of interesting languages are built on top of it and it is the foundation for a lot of interesting projects. The hate for Java seems to mix the language and the JVM up when in fact they are two completely different things.

Real developers use the correct tool for the job. This basic programming 101. Both Java and C# fill the same void except that Java is used on more platforms.

As mentioned in the article (for kids who are unable to think), this only targets Java in the browser. No honest company have used that in almost a decade. Disable that if you are unable to make your own decisions.

For the rest of us (read, majority, adults, etc), we know better than to hate a language and spreading FUD.

If you want true cross platform you stick with c or c++ not crappy Java or C#. Real developers?

That's if you use platform-agnostic code and APIs. Even then you have to recompile for each OS you want to run it on.

But in the C/C++ world, lots of people use platform-specific (and sometimes processor architecture-specific) code to get the job done. If you want to port said code, you would have to replace the platform-specific code with code that gets the job done on the OS you're porting your code to (and sometimes you have the processor architecture-specific code that you need to port as well).

Since phones are presumably just as vulnerable to attacks like this, where is the option to disable Java on my Android phone's browser?

Android phones are not vulnerable to this:

1) Android phones do NOT have a Java plugin for the web browser.2) Java bytecode on Android is extremely different than bytecode in your traditional x86 JVM.3) If this is shellcode they are trying to run, the ARM processor architecture is different from the x86 processor architecture, and therefore x86 shellcode will not run on your phone (unless you have a phone with an Intel processor, then see #2).

I haven't had java installed since the late 90's, never looked back. There is some misunderstanding with the general computer user that javascript = java and you need to have it installed.

Java is and always will be complete dog sh8 and should be eradicated. The product really at this point under Oracles hand is abandonware, and they only hold it so no one else can own it.

How about March 15th being Uninstall Java day? spread the word.

Or you could just uninstall the browser plugin seeing how all these exploits use that plugin to get into your computer. Java still has a lot of use in Web applications and desktop applications. Applets, on the other hand, died out about eight years ago. They weren't the easiest to build and, with things coming to light, the most secure*.

Or I could just not install it at all. I have not bumped into any application that needs Java and if I ever do I'll just find an alternative rather than install Java. It's bloatware that I won't have on my computer, I've not had it installed for 13+ years I don't see needing to use it ever again.

Use OpenOffice or LibreOffice?

Use Microsoft Office, works really well and no java; it's also the industry standard.

It works really well if you have it available for your OS. Microsoft really doesn't like Linux at all, but that's no indicator determining whether your OS gets Office or not because they also don't like OSX too well.